 Research
 Open access
 Published:
Prior entanglement exponentially improves oneserver quantum private information retrieval for quantum messages
EPJ Quantum Technology volume 11, Article number: 55 (2024)
Abstract
Quantum private information retrieval (QPIR) for quantum messages is a quantum communication task, in which a user retrieves one of the multiple quantum states from the server without revealing which state is retrieved. In the oneserver setting, we find an exponential gap in the communication complexities between the presence and absence of prior entanglement in this problem with the oneserver setting. To achieve this aim, as the first step, we prove that the trivial solution of downloading all messages is optimal under QPIR for quantum messages, which is a similar result to that of classical PIR but different from QPIR for classical messages. As the second step, we propose an efficient oneserver oneround QPIR protocol with prior entanglement by constructing a reduction from a QPIR protocol for classical messages to a QPIR protocol for quantum messages in the presence of prior entanglement.
1 Introduction
1.1 Private information retrieval (PIR)
Entanglement is a valuable resource for quantum information processing, enabling various tasks including quantum teleportation [1] and dense coding, also known as entanglementassisted communication [2]. Although entanglementassisted communication enhances the speed not only for conventional communication but also for secret communication, their improvements are limited to constant times [3, 4]. In addition, it is often assumed in theoretical investigations of distributed quantum protocols that prior entanglement is available as a free resource because prior entanglement can be seen as a quantum counterpart of prior shared randomness [5, 6]. That is, one of great advantages of quantum system is to use prior entanglement instead of prior randomness. For further development of entanglementassisted communication, we need to find significant improvement by entanglementassisted communication.
For this aim, we focus on private information retrieval (PIR) as Fig. 1, a task in which a user retrieves a message from a server without revealing which message has been retrieved, when the server possesses multiple messages. Hence, PIR is a key technology for keeping the privacy because it enables a person to hide his/her demand even with making his/her request. Therefore, it is a crucial issue for quantum information whether the use of entanglement enhances the performance of PIR.
Many papers [7–21] studied Quantum PIR (QPIR), i.e., PIR using quantum states, when the intended messages are given as the classical messages. This problem setting is simplified to CQPIR. On the other hand, since various types of quantum information processings require the transmission of quantum states, i.e., the quantum messages [22–26], it is needed to develop QPIR for quantum messages, which is simplified to QQPIR, while no preceding paper studied this topic. In addition, in the multiparty quantum computing [27, 28], we often need to transmit quantum messages, i.e., quantum input states, instead of classical messages since it requires the protection of the coherence during the process of quantum computation. Therefore, for further development of quantum computer science, it is important to study various communication with quantum messages in addition to classical messages.
In this paper, to enhance quantum information technology, we study private information retrieval for quantum messages with one server, and present an exponential speedup through the use of prior entanglement as a significant improvement. Although there have been mainly two approaches: PIR with computational assumptions [29, 30] and PIR with multiple servers [31–33], recent attention has focused on informationtheoretic aspects of PIR [34–48]. In this paper, we solely consider oneserver QPIR without computational assumptions.
1.2 QPIR for classical messages
PIR has also been studied when quantum communication is allowed between the user and the server [7–21]. These papers consider the case when the total number of bits in the messages is \(\mathsf{m}\). For the secrecy in CQPIR, we often focus on the potential information leakage in all rounds, which is called the allround criterion in this paper and has been studied under several security models. One is the honestserver model, in which, we discuss the user’s secrecy only when the server is honest, i.e., the server does not deviate from the protocol. The other is the speciousserver model, in which, we discuss the user’s secrecy even when the server deviates from the protocol as far as its dishonest operations are not revealed to the user, which is called specious adversary. The secrecy under the speciousserver model has a stronger requirement than the secrecy under the honestserver model. Interestingly, under the honestserver model, Le Gall [11] proposed a CQPIR protocol with communication complexity \(O(\sqrt{\mathsf{m}})\) in the allround criterion, and Kerenidis et al. [12] improved this result to \(O(\mathrm{poly}\log \mathsf{m})\) in another criterion, where the communication complexity in the quantum case is the total number of communicated qubits. Baumeler and Broadbent [10] considered the case when the speciousserver model is adopted and the possible input states are extended to arbitrary superposition states. Then, they proved that the communication complexity is at least \(\Theta (\mathsf{m})\), i.e., the trivial solution of downloading all messages is optimal also for this case. While indeed less realistic than the fully dishonest server model, investigating the honest model and the specious model is very often a fundamental (and necessary) step in cryptographic applications. Such investigations receive significant attention from the quantum cryptography community. For instance, the key paper [13] also focused on QPIR in the honest server model and the specious server model. These facts show that this problem setting has sufficient impact in the area of quantum computer science. In this paper, when arbitrary superposition states are allowed as input states, we consider the following; The user is required to recover the correct classical information only when the input state is a classical state. In other words, when the input state is a superposition state, any output is considered as a correct outcome.
Even when prior entanglement is allowed between the user and the server, the communication complexity is also lower bounded by \(\Theta (\mathsf{m})\) under the speciousserver model with the above extended possible input states [13]. Therefore, the advantage of prior entanglement is limited under the speciousserver model with the above extended possible input states. In contrast, prior entanglement might potentially have polynomial improvement under the honestserver model, but it is still unclear how much prior entanglement improves communication complexity under the honestserver model.
When the server truly follows the protocol, the information obtained by the server is limited to the server’s final state. Hence, the information leakage in the server’s final state can be considered as another criterion, which is called the finalstate criterion. While the finalstate criterion under the honestserver model is a too weak setting, it is reasonable to consider the finalstate criterion under the speciousserver model, which is essentially equivalent to the cheatsensitive setting studied in [49].
1.3 Our contributions
In this paper, for QQPIR protocols and the total number \(\mathsf{m}\) of qubits, we show that the communication complexity is at least \(\Theta (\mathsf{m})\), i.e., the trivial solution of downloading all messages is optimal for oneserver QQPIR even in the finalstate criterion and even with the honestserver model if prior entanglement is not allowed between the server and the user. This fact shows that prior entanglement between the server and the user is necessary for further improvement under the oneserver model even for QQPIR under the honestserver model, the weakest secrecy requirement. To overcome this problem, we propose a oneserver QQPIR protocol with prior entanglement between the server and the user, which achieves the communication complexity \(O(\log \mathsf{m})\). That is, prior entanglement has exponential improvement for QQPIR under the honestserver model.
1.4 Organization of this paper
The remainder of the paper is organized as follows. Section 2 gives the definitions of several concepts and the outline of our results including the comparison with existing results. Section 3 is the technical preliminaries of the paper. Section 4 presents our results for CQPIR protocol with communication complexity \(O( \log \mathsf{m})\). Section 5 derives the lower bound of the communication complexity for QQPIR in the finalstate criterion under the honestserver model when prior entanglement is not shared. Section 6 proposes an efficient QQPIR protocol with prior entanglement under various settings. Section 7 is the conclusion of the paper.
2 Definitions and outline of our results
2.1 Definitions of various concepts
To briefly explain our results, we prepare the definitions of various concepts to cover CQPIR protocols and QQPIR protocols in a common framework.
2.1.1 Correctness, complexity, and unitarytype
To discuss the properties of our QPIR protocols, we prepare several concepts. First, we define the set \(\mathcal{S}\) of possible quantum states as a subset of the set \({\mathcal{S}}({\mathcal{H}}_{d})\) of states on \(\mathbb{C}^{d} \). A QPIR protocol is called a QPIR protocol with \(\mathbb{C}^{d} \) over the set \(\mathcal{S}\) when it works when the set \(\mathcal{S}\) is the set of possible quantum states. For example, when \(\mathcal{S}\) is the set \({\mathcal{C}}\) of orthogonal pure states \(\{ j\rangle \}_{j=0}^{d1}\), a QPIR protocol is a CQPIR protocol discussed in [10]. In contrast, when \(\mathcal{S}\) is the set \({\mathcal{Q}}\) of all pure states on the system \(\mathbb{C}^{d} \), a QPIR protocol is a QQPIR protocol. When we do not identify the set \(\mathcal{S}\), we consider that it is given as the above case. We denote the number of messages by \(\mathsf{f}\). A QPIR protocol Φ has two types of inputs. The first input is composed of \(\mathsf{f}\) messages, whose systems are written as \({\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{\mathsf{f}}\). Their state is written as \(\mathsf{f}\) states \((\rho _{1}, \ldots , \rho _{\mathsf{f}}) \in \mathcal{S}^{\mathsf{f}}\). The second input is the choice of the label of the message intended by the user, which is written as the random variable K. The quantum system to describe the variable K is denoted by \({\mathcal{K}}\). We denote the remaining initial user’s and server’s systems by \({\mathcal{R}}_{u}\) and \({\mathcal{R}}_{s}\), respectively. The output of the protocol is a state \(\rho _{out}\) on \({\mathcal{H}}_{d}\).
A QPIR protocol Φ has bilateral communication. The communication from the user to the servers is the upload communication, and the communication from the servers to the users is the download communication. The communication complexity is composed of the upload complexity and the download complexity. The upload complexity is the sum of the communication sizes of all upload communications, and the download complexity is the sum of the communication sizes of all download communications. The sum of the upload and download complexity is called the communication complexity. We adopt the communication complexity as the optimality criterion under various security conditions.
A QPIR protocol Φ is called a deterministic protocol when the following two conditions hold. The upload complexity and the download complexity are determined only by the protocol Φ. When the user and the servers are honest, the output is determined only by \((\rho _{1}, \ldots , \rho _{\mathsf{f}})\) and K. When Φ is a deterministic protocol, we denote the output state by \(\Phi _{out}(\rho _{1}, \ldots , \rho _{\mathsf{f}},K)= \rho _{out}\). The upload complexity, the download complexity, and the communication complexity are denoted by \(UC(\Phi )\), \(DC(\Phi )\), and \(CC(\Phi )\), respectively. Hence, the communication complexity \(CC(\Phi )\) is calculated as \(UC(\Phi )+DC(\Phi )\). A protocol Φ is called correct when the protocol is a deterministic protocol and the relation \(\Phi _{out}(\rho _{1}, \ldots , \rho _{\mathsf{f}},k)=\rho _{k}\) holds for any elements \(k \in [\mathsf{f}]\) and \((\rho _{1}, \ldots , \rho _{\mathsf{f}}) \in \mathcal{S}^{\mathsf{f}}\).
Another important class of QPIR protocols is unitarytype protocols. When a QPIR protocol Φ satisfies the following conditions, it is called unitarytype.

The initial states \(\rho _{{\mathcal{R}}_{s}}\) on \({\mathcal{R}}_{s}\) and \(\rho _{{\mathcal{R}}_{u}}\) on \({\mathcal{R}}_{u}\) are pure.

At each round, both the user and the server apply only unitary operations to the systems under their control.

A measurement is done only when the user reads out the message as the outcome of the protocol.
The reference [13] refers to the above property as measurementfree due to the third condition while it assumes the first and second conditions implicitly. Since the first and second conditions are more essential, we call it unitarytype.
2.1.2 Secrecy
In this paper, we address only the secrecy of the user’s choice. There are two security criteria. One is the finalstate criterion, in which, it is required that the server’s final state does not depend on the user’s choice K. The other is the allround criterion, in which, it is required that the server’s state in any round does not depend on the user’s choice K. When we consider the secrecy, we may extend the set of possible inputs to \(\tilde{\mathcal{S}}\) that includes the set \({\mathcal{S}}\). For example, in the case of CQPIR, the set \({\mathcal{S}}\) is given as the set \({\mathcal{C}}\). Then, we can choose \(\tilde{\mathcal{S}}\) as the set \({\mathcal{C}}\) or \({\mathcal{Q}}\). The case with \(\tilde{\mathcal{S}}={\mathcal{C}}\) is called the classical input case, and the case with \(\tilde{\mathcal{S}}={\mathcal{Q}}\) is called the superposition input case. Instead, in the case of QQPIR, the set \({\mathcal{S}}\) is given as the set \({\mathcal{Q}}\). Hence, the set \(\tilde{\mathcal{S}}\) is chosen as the same set \({\mathcal{Q}}\).
Even when we fix the security criterion and the sets \({\mathcal{S}}\) and \(\tilde{\mathcal{S}}\), there still exist three models for the secrecy for a QPIR protocol Φ. The first one is the honestserver model, which assumes that the servers are honest. We say that a QPIR protocol Φ satisfies the secrecy in the finalstate criterion under the honestserver model with input states \(\tilde{\mathcal{S}}\) when the following condition holds. When the user and the servers are honest, the server has no information for K in the final state, i.e., the relation
holds for any \(k,k' \in [\mathsf{f}]\) and \((\rho _{1}, \ldots , \rho _{\mathsf{f}}) \in \tilde{\mathcal{S}}^{ \mathsf{f}}\), where \(\rho _{S,F} (\rho _{1}, \ldots , \rho _{\mathsf{f}},K)\) is the final state on the server dependent of the variable K. In the condition (1), the states \(\rho _{k}\) is chosen from \(\tilde{\mathcal{S}}\), not from \({\mathcal{S}}\). We say that a QPIR protocol Φ satisfies the secrecy in the allround criterion under the honestserver model with input states \(\tilde{\mathcal{S}}\) when the following condition holds, the server has no information for K in all rounds, i.e., the relation
holds for any \(k,k' \in [\mathsf{f}]\) and \((\rho _{1}, \ldots , \rho _{\mathsf{f}}) \in \tilde{\mathcal{S}}^{ \mathsf{f}}\), where \(\rho _{S,j} (\rho _{1}, \ldots , \rho _{\mathsf{f}},K)\) is the state on the server dependent of the variable K when the server receives the query in the jth round. The following is the meaning of the secrecy in the allround criterion under the honestserver model. Assume that the user and the server are honest. Even when the server stops the protocol at the jth round for any j, the server cannot obtain any information for K.
The second model is called the speciousserver model introduced in [50]. When the server applies other operations that deviate from the original protocol, such an operation is called an attack. An attack of the server is called a specious attack when the attack satisfies the following conditions. The server sends the answer at the time specified by the protocol, but the contents of the answer do not follow the protocol. Also, the server does not access the information under the control of the user. In addition, the attack is not revealed to the user under the condition that the user is honest, i.e., there exists the server’s operation \({\mathcal{F}}_{S,j}\) such that the relation
holds for any \(k\in [\mathsf{f}]\) and \((\rho _{1}, \ldots , \rho _{\mathsf{f}}) \in \tilde{\mathcal{S}}^{ \mathsf{f}}\), where \(\rho _{j}(\rho _{1}, \ldots , \rho _{\mathsf{f}},K)\) (\(\tilde{\rho}_{j}( \rho _{1}, \ldots , \rho _{\mathsf{f}},K)\)) is the state on the whole system dependently of the variable K when the user receives the answer in the jth round under the assumption that the user is honest and the server is honest (the server makes the attack). Notice that the definition of a specious attack depends on the choice of the set \(\tilde{\mathcal{S}}\). The meaning of (3) is the following. When the user decides to stop the protocol to check whether the server follows the protocol after the user receives the answer in the jth round, the user asks the server to submit the evidence that the server follows the protocol. Then, the server sends his system after applying the operation \({\mathcal{F}}_{S,j}\). When \(\tilde{\mathcal{S}} \) is chosen to be the set \({\mathcal{Q}}\) of pure states, a specious attack coincides with a socalled 0specious adversary, which is introduced in [13, Definition 2.4] because it is sufficient to check the case with even t in [13, Definition 2.4]. Also, when \(\tilde{\mathcal{S}} \) is chosen to be the set \({\mathcal{C}}\), the secrecy in the allround criterion under the specious server model coincides with the anchored 0privacy under 0specious servers [13].
We say that a QPIR protocol Φ satisfies the secrecy in the finalstate criterion (the allround criterion) under the speciousserver model with input states \(\tilde{\mathcal{S}}\) when the following condition holds. When a server performs a specious attack and the user is honest, the server obtains no information about the user’s request K in all rounds, i.e., the condition (1) (the condition (2)) holds. In fact, the secrecy condition in the finalstate criterion is weaker than the secrecy condition in the allround criterion even under the speciousserver model. The secrecy condition in the finalstate criterion under the speciousserver model is essentially equivalent to the cheatsensitive secrecy condition considered in [49].
The third model is called the dishonestserver model. We say that a QPIR protocol Φ satisfies the secrecy under the dishonestserver model when the following condition holds. When the server applies an attack and the user is honest, the server obtains no information of the user’s request K, i.e., the condition (1) holds. In the dishonestserver model, the server is allowed to make any attack under the following conditions. The server sends the answer at the time specified by the protocol, but the contents of the answer do not follow the protocol. Also, the server does not access the information under the control of the user. Thus, the server can send any information on each round under this condition. Hence, the ability of the attack does not depend on the set \(\tilde{\mathcal{S}}\). Also, the server can store the state received in any round. Hence, the server can obtain the same information in the final state as the information in the jth round.
Further, when the protocol has only one round and we adopt the allround criterion, there is no difference among the honestserver model, the speciousserver model, and the dishonestserver model because all information obtained by the server is reduced to the state on the server when the server received the query in the first round. As a result, the information obtained by the server does not depend on the server’s operation, i.e., the server’s attack model.
Remark 1
In the papers [10, 13], the security against specious adversaries means the secrecy in the allround criterion under the speciousserver model with input states \({\mathcal{Q}}\) for CQPIR in our definition. Instead, in the paper [13], the anchored specious security means the secrecy in the allround criterion under the speciousserver model with input states \({\mathcal{C}}\) for CQPIR in our definition. The papers [10, 13] did not consider the finalstate criterion.
2.2 Outline of results and comparison
2.2.1 Optimality of trivial solution for oneserver QQPIR
First, we discuss our result for oneserver QQPIR for the honestserver model without prior entanglement, and its relation to existing results. The result by the reference [10] is summarized as follows. The CQPIR protocol discussed in [10] is considered as a QPIR protocol over the set \({\mathcal{C}}\). The reference [10] showed that the trivial protocol over the set \({\mathcal{C}}\) is optimal in the allround criterion under the speciousserver model with input states \({\mathcal{Q}}\), i.e., when the secrecy in the allround criterion is imposed under the speciousserver model with input states \({\mathcal{Q}}\). Since the set \({\mathcal{C}}=\{ j\rangle \}_{j=0}^{d1}\) is included in the set \({\mathcal{Q}}\), a QQPIR protocol over the set \(\mathcal{Q}\) works a QPIR protocol over the set \({\mathcal{C}}\). Hence, the result by [10] implies the optimality of the trivial protocol over the set \({\mathcal{Q}}\) in the allround criterion under the speciousserver model. In addition, such an impossibility result was extended to the case with prior entanglement by the paper [13].
However, the secrecy in the allround criterion under the speciousserver model is a stronger condition than the secrecy in the finalstate criterion under the honestserver model because the secrecy in the allround criterion is a stronger condition the secrecy in the finalstate criterion and the speciousserver model allows the server to have a larger choice than the honestserver model.
To seek further possibility for CQPIR protocols, in Sects. 4.1 and 4.2, inspired by the idea presented in [49], we propose more efficient oneround CQPIR protocols in the finalstate criterion under the honestserver and speciousserver models with input states \({\mathcal{C}}\) or \({\mathcal{Q}}\) whose communication complexities are at most \(4\log \mathsf{m}\). In addition, the reference [11] proposed a CQPIR protocol in the allround criterion under the honest oneserver model that has communication complexity \(O(\sqrt{\mathsf{m}})\). The reference [12] also proposed a CQPIR protocol with communication complexity \(O(\mathrm{poly} \log \mathsf{m})\) without prior entanglement and a CQPIR protocol with communication complexity \(O( \log \mathsf{m})\) with prior entanglement. In Sect. 4.3, we show that these two protocols satisfy the secrecy in the allround criterion under the honestserver model with input states \({\mathcal{C}}\). In addition, using a conversion result [13], we show that these two protocols satisfy the secrecy in the allround criterion under the speciousserver model with input states \({\mathcal{C}}\).
Hence, we cannot exclude the possibility of more efficient oneserver QQPIR protocols than the trivial solution in the finalstate criterion or under the honest oneserver model. Furthermore, while the trivial solution is optimal under the honestserver model of classical PIR [51], its optimality proof uses the communication transcript between the server and the user, which is based on classical communication. Unfortunately, we cannot apply the same technique under the honest oneserver model of QQPIR because quantum states cannot be copied because of the nocloning theorem. Therefore, we have a question of whether there exists a QQPIR protocol over pure states that satisfies the secrecy in the finalstate criterion under the honestserver model, and improves the communication complexity over the trivial protocol.
As its solution, we show that the trivial solution is optimal for oneserver QQPIR in the finalstate criterion for the honestserver model. In Tables 1 and 2, we summarize the comparison of our results with previous results for the oneserver case. In our proof, the entropic inequalities are the key instruments for the proof. Since the pair of the finalstate criterion and the honestserver model is the weakest attack model, this result implies that the trivial solution is also optimal for any attack model.
2.2.2 Oneserver QQPIR protocol with prior entanglement
However, the above discussion assumes that there is no prior entanglement shared between the sender and the user. Hence, secondly, with prior entanglement between the user and the server, we prove that there exists an efficient QQPIR protocol on the honestserver model or on the finalstate criterion. To be precise, we propose a method to construct a QQPIR protocol of communication complexity \(O(f(\mathsf{m}))\) with prior entanglement from a CQPIR protocol of communication complexity \(O(f(\mathsf{m}))\) with prior entanglement. This method is based on the combination of CQPIR and quantum teleportation [1]. The proposed QQPIR protocol inherits the security of the CQPIR protocol. With this property, we show three types of QQPIR protocols of communication complexity \(O(\log \mathsf{m})\) with prior entanglement. One is the secrecy in the finalstate criterion under the honestserver model. The second is the secrecy in the finalstate criterion under the speciousserver model. The third is the secrecy in the allround criterion under the honestserver model. Combining this result with the above result, we find that prior entanglement realizes an exponential speedup for oneserver QQPIR in the finalstate criterion or under the honestserver model. Therefore, the obtained results are summarized as Table 1 in terms of the communication complexity \(\mathsf{m}\).
3 Preliminaries
We define \([a:b] = \{a,a+1, \ldots , b\}\) and \([a] = \{1,\ldots , a\}\). The dimension of a quantum system X is denoted by \(X\). The von Neumann entropy is defined as \(H(X) = H(\rho _{X}) = \operatorname{Tr}\rho _{X}\log \rho _{X}\), where \(\rho _{X}\) is the state on the quantum system X.
Proposition 1
The von Neumann entropy satisfies the following properties.
\((a)\) \(H(X) = H(Y)\) if the state on \(X\otimes Y\) is a pure state.
\((b)\) The inequality \(H(XY) \le H(X) + H(Y)\) holds, and the equality holds for product states on \(X\otimes Y\).
\((c)\) Entropy does not change by unitary operations.
\((d)\) \(H(XY) + H(X) \geq H(Y)\).
\((e)\) \(H(\sum _{s} p_{s} \rho _{s}) = \sum _{s} p_{s} (H( \rho _{s})  \log p_{s})\) if \(\operatorname{Tr}\rho _{s} \rho _{t} = 0\) for any \(s\neq t\).
The property \((d)\) is proved as follows. Since other properties can be easily shown, we omit their proofs. For example, see the book [52, Sects. 3.1 and 8.1]. Let Z be the reference system in which the state on \(XYZ\) is pure. Then, \(H(XY)+H(X)=H(Z)+H(X)\ge H(XZ)=H(Y)\). Throughout the paper, we use the symbols \((a)\), \((b)\), \((c)\), \((d)\), \((e)\) to denote which property is used, e.g., \(\stackrel{{(\mathrm{a})}}{=}\) means that the equality holds from the property \((a)\).
Next, for a TPCP map from the system \({\mathcal{H}}_{X}\) to the system \({\mathcal{H}}_{Y}\) and a state ρ on \({\mathcal{H}}_{X}\), we define the transmission information \(I (\rho ,\Gamma )\). We choose a purification \(\psi \rangle \) of ρ with the environment \({\mathcal{H}}_{Z}\). Then, the transmission information \(I (\rho ,\Gamma )\) is defined as
where \(\iota _{Z}\) is the identity operation on \({\mathcal{H}}_{Z}\). When Γ is the identity operator,
Throughout this paper, \(\mathbb{C}^{d}\) expresses the ddimensional Hilbert space spanned by the orthogonal basis \(\{s\rangle \}_{s=0}^{d1}\). For a \(d_{1}\times d_{2}\) matrix
we define
For \(\mathsf{A}\in \mathbb{C}^{d_{1}\times d_{2}}\), \(\mathsf{B}\in \mathbb{C}^{d_{1} \times d_{1}}\), and \(\mathsf{C}\in \mathbb{C}^{d_{2} \times d_{2}}\), we have the relation
We call a ddimensional system \(\mathbb{C}^{d}\) a qudit. Define generalized Pauli matrices and the maximally entangled state on qudits as
where \(\omega = \exp (2\pi \iota / d)\) and \(\iota = \sqrt{1}\). We define the generalized Bell measurements
If there is no confusion, we denote \(\mathsf{X}_{d}\), \(\mathsf{Z}_{d}\), \(\mathsf{I}_{d}\), \(\mathbf{M}_{ \mathsf{X}\mathsf{Z},d}\) by \(\mathsf{X}\), \(\mathsf{Z}\), \(\mathsf{I}\), \(\mathbf{M}_{\mathsf{X}\mathsf{Z}}\). Let A, \(A'\), B, \(B'\) be qudits. If the state on \(A\otimes A' \otimes B \otimes B'\) is \mathsf{A}\u300b\otimes \mathsf{B}\u300b and the measurement \(\mathbf{M}_{\mathsf{X}\mathsf{Z}}\) is performed on \(A' \otimes B'\) with outcome \((a,b) \in [0:d1]^{2}\), the resultant state is
We also define the dual basis
4 Protocols for CQPIR
4.1 Oneround CQPIR of the finalstate criterion under honestserver model
This section presents a protocol that satisfies the secrecy in the finalstate criterion under the honestserver model with the input states \({\mathcal{C}}\). We assume that the ℓth message \(X_{\ell}\) is an element of \(\mathbb{Z}_{d_{\ell}}\) for \(\ell \in [\mathsf{f}]\). We define d as the maximum \(\max _{\ell \in [\mathsf{f}]}d_{\ell}\).
Protocol 1
The following protocol is denoted by \(\Phi _{\mathsf{f},d}\).

0)
Preparation: The server prepares \(\mathsf{f}+1\) quantum systems \({\mathcal{H}}_{0},{\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{\mathsf{f}}\), where \({\mathcal{H}}_{0}\) is spanned by \(\{j\rangle \}_{j=0}^{d1} \), and \({\mathcal{H}}_{\ell}\) is spanned by \(\{j\rangle \}_{j=0}^{d_{\ell}1} \). When the ℓth message is \(X_{\ell}\), the state on the quantum system \({\mathcal{H}}_{\ell}\) is set to be \(X_{\ell}\rangle \). Also, the state on the quantum system \({\mathcal{H}}_{0}\) is set to be \(0 \rangle \). The user prepares the system \({\mathcal{K}}\) spanned by \(\{ \ell \rangle \}_{\ell =1}^{\mathsf{f}}\).

1)
Query (upload): The user sets the state on the system \({\mathcal{K}}\) to be \(K\rangle \). The user sends the system \({\mathcal{K}}\) to the server.

2)
Answer (download): The server applies the measurement based on the computation basis \(\{ j\rangle \}\) on the systems \({\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{\mathsf{f}}\) with the projective state reduction. The server applies the controlled unitary \(U:= \sum _{\ell =1}^{\mathsf{f}} \ell \rangle \langle \ell  \otimes U_{\ell}\) on \({\mathcal{K}}\otimes {\mathcal{H}}_{0}\otimes {\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\), where \(U_{\ell}\) acts only on \({\mathcal{H}}_{0}\otimes {\mathcal{H}}_{\ell}\) and is defined as
$$\begin{aligned} U_{\ell}:=\sum _{j'=0}^{d1}\sum _{j=0}^{d_{\ell}1} j+j'\rangle \langle j'\otimes j\rangle \langle j. \end{aligned}$$(15)The server sends the system \({\mathcal{K}}\otimes {\mathcal{H}}_{0}\) to the user.

3)
Reconstruction: The user measures \({\mathcal{H}}_{0}\), and obtains the message \(X_{K}\).
Lemma 1
Protocol 1is correct and satisfies the secrecy in the finalstate criterion under the honestserver model with the input states \({\mathcal{C}}\).
Its upload and download complexities are \(UC(\Phi _{\mathsf{f},d})=\log \mathsf{f}\) and \(DC(\Phi _{\mathsf{f},d})=\log \mathsf{f}+ \log d\). The communication complexity is \(CC(\Phi _{\mathsf{f},d})=2 \log \mathsf{f}+ \log d\). When d is fixed, \(CC(\Phi _{\mathsf{f},d})=2\log \mathsf{m}+o(\mathsf{m})\).
Proof
The correctness of Protocol 1 can be checked as follows. Since \(U_{\ell }0\rangle \otimes X_{\ell}\rangle =X_{\ell}\rangle \otimes X_{\ell}\rangle \), we have
Hence, the user gets the state \(K\rangle X_{K}\rangle \), which contains the correct information \(X_{K}\).
As shown in the following; Protocol 1 satisfies the secrecy in the finalstate criterion under the honestserver model with the input states \({\mathcal{C}}\). We assume that the server and the user are honest. Since the server follows the protocol, the server has only the \(\mathsf{f}\) systems \({\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{\mathsf{f}}\). The final state on the composite system \({\mathcal{H}}_{1}\otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) is \(X_{1}\rangle \cdots X_{\mathsf{f}}\rangle \), which does not depend on the user’s choice K. Hence, the above secrecy holds. □
Lemma 1 can be strengthened as follows.
Lemma 2
When we add the measurement with the computational basis on \({\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) in Step 2) in Protocol 1before the unitary U is applied, the protocol is correct and satisfies the secrecy in the finalstate criterion under the honestserver model even with the input states \({\mathcal{Q}}\).
Proof
Even when the initial states in \({\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{\mathsf{f}}\) prepared as quantum states, due to the measurement, the initial states in \({\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{\mathsf{f}}\) are convex mixtures of states \(\{j\rangle \langle j\}\). Hence, the final state on the composite system \({\mathcal{H}}_{1}\otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) is the same as the state after the measurement, which does not depend on user’s choice K. Hence, the above secrecy holds. □
The following lemma shows the importance of measurement in Lemma 2.
Lemma 3
Protocol 1does not satisfy the secrecy in the finalstate criterion under the honestserver model even with the input states \({\mathcal{Q}}\).
Proof
Assume that the server set initial state in \({\mathcal{H}}_{\ell} \) to be \(\sum _{j=1}^{d_{\ell}}\frac{1}{\sqrt{d_{\ell}}}j\rangle \). Also, we assume that the server and the user follow Steps 1), 2), 3). Then, the final state on \({\mathcal{H}}_{K} \otimes {\mathcal{H}}_{0}\) is \(\sum _{j=1}^{d_{\ell}}\frac{1}{\sqrt{d_{\ell}}}j\rangle j\rangle \). That is, the final state on \({\mathcal{H}}_{K}\) is the completely mixed state. In contrast, the final state on \({\mathcal{H}}_{\ell}\) is the same as the initial state for \(\ell \neq K\). Hence, the secrecy condition (1) does not hold. □
Also, we have the following lemma. That is, we need to modify Protocol 1 for the speciousserver model.
Lemma 4
Protocol 1does not satisfy the secrecy in the finalstate criterion under the speciousserver model even with the input states \({\mathcal{Q}}\).
Proof
A specious server is allowed to make a measurement if the measurement does not destroy the quantum state. Since the state on the composite system \({\mathcal{K}}\otimes {\mathcal{H}}_{0}\otimes {\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) is one of the computation basis, it is not destroyed by the measurement of the computation basis. Hence, the server can obtain the user’s choice K without state demolition. This fact shows that the speciousserver model is needed in order to forbid such an insecure protocol. However, as shown in Sect. 5, even under the honestserver model, a protocol similar to Protocol 1 does not work when the messages are given as quantum states. □
4.2 Oneround CQPIR of the finalstate criterion under speciousserver model
Protocol 1 presented in the previous subsection does not work under the speciousserver model. To resolve this problem, this section presents a protocol that satisfies the secrecy in the finalstate criterion under the speciousserver model with the input states \({\mathcal{C}}\). We assume that each message \(X_{\ell}\) is an element of \(\mathbb{Z}_{d_{\ell}}\). We define d as the maximum \(\max _{\ell}d_{\ell}\).
Protocol 2
The following protocol is denoted by \(\Phi _{\mathsf{f},d}\).

0)
Preparation: The server prepares \(\mathsf{f}+2\) quantum systems \({\mathcal{H}}_{0}',{\mathcal{H}}_{1}',{\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{ \mathsf{f}}\), where \({\mathcal{H}}_{0}'\), \({\mathcal{H}}_{1}'\) is spanned by \(\{j\rangle \}_{j=0}^{d1} \), and \({\mathcal{H}}_{\ell}\) is spanned by \(\{j\rangle \}_{j=0}^{d_{\ell}1} \). When the ℓth message is \(X_{\ell}\), the state on the quantum system \({\mathcal{H}}_{\ell}\) is set to be \(X_{\ell}\rangle \). Also, the state on the quantum system \({\mathcal{H}}_{0}'\), \({\mathcal{H}}_{1}'\) is set to be \(0 \rangle \). The user prepares the systems \({\mathcal{K}}_{0}\),\({\mathcal{K}}_{1}\) spanned by \(\{ \ell \rangle \}_{\ell =1}^{\mathsf{f}}\).

1)
Query (upload): The user generates the binary random variable A and the variable \(B \in [\mathsf{f}]\) subject to the uniform distribution. The user sets the state on the system \({\mathcal{K}}_{A}\) to be \(K\rangle \), and the state on the system \({\mathcal{K}}_{A\oplus 1}\) to be \(\frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}} \mathsf{Z}_{ \mathsf{f}}^{B} \ell \rangle \). The user sends the systems \({\mathcal{K}}_{0}\), \({\mathcal{K}}_{1}\) to the server.

2)
Answer (download): The server applies the controlled unitary \(U:= \sum _{\ell =1}^{\mathsf{f}} \ell \rangle \langle \ell  \otimes U_{\ell}\) on \({\mathcal{K}}_{0}\otimes {\mathcal{H}}_{0}'\otimes {\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\), where \(U_{\ell}\) acts only on \({\mathcal{H}}_{0}'\otimes {\mathcal{H}}_{\ell}(={\mathcal{H}}_{1}'\otimes {\mathcal{H}}_{ \ell}) \) and is defined as
$$\begin{aligned} U_{\ell}:=\sum _{j'=0}^{d1}\sum _{j=0}^{d_{\ell}1} j+j'\rangle \langle j'\otimes j\rangle \langle j. \end{aligned}$$(17)Then, the server applies the controlled unitary U on \({\mathcal{K}}_{1}\otimes {\mathcal{H}}_{1}'\otimes {\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\). The server sends the systems \({\mathcal{K}}_{0}\otimes {\mathcal{H}}_{0}'\), \({\mathcal{K}}_{1}\otimes {\mathcal{H}}_{1}'\) to the user.

3)
Reconstruction: The user measures \({\mathcal{H}}_{A}'\), and obtains the message \(X_{K}\).
Lemma 5
Protocol 2is correct and satisfies the secrecy in the finalstate criterion under the speciousserver model with the input states \({\mathcal{C}}\).
Its upload and download complexities are \(UC(\Phi _{\mathsf{f},d})=2 \log \mathsf{f}\) and \(DC(\Phi _{\mathsf{f},d})=2\log \mathsf{f}+ 2 \log d\). The communication complexity is \(CC(\Phi _{\mathsf{f},d})=4 \log \mathsf{f}+ 2 \log d\). When d is fixed, \(CC(\Phi _{\mathsf{f},d})=4\log \mathsf{m}+o(\mathsf{m})\).
Proof
The correctness of Protocol 2 can be checked as follows. Due to the relation (16), when \(A=0\), the state on the whole system \({\mathcal{K}}_{0}\otimes {\mathcal{H}}_{0}' \otimes {\mathcal{K}}_{1}\otimes {\mathcal{H}}_{1}' \otimes {\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) before the server sends back the system is \(K\rangle X_{K}\rangle \frac{1}{\sqrt{\mathsf{f}}} \sum _{\ell =1}^{ \mathsf{f}}\mathsf{Z}_{\mathsf{f}}^{B}\ell \rangle X_{\ell}\rangle X_{1} \rangle \cdots X_{\mathsf{f}}\rangle \). Hence, the user receives the state \(K\rangle X_{K}\rangle \frac{1}{\sqrt{\mathsf{f}}} \sum _{\ell =1}^{ \mathsf{f}}\mathsf{Z}_{\mathsf{f}}^{B}\ell \rangle X_{\ell}\rangle \), which contains the correct information \(X_{K}\). Similarly, when \(A=1\), the user receives a state containing the correct information \(X_{K}\).
Next, we show that Protocol 2 satisfies the secrecy in the finalstate criterion under the speciousserver model with the input states \({\mathcal{C}}\). Assume that the server and the user follow the protocol. Then, the resultant state in the server’s system \({\mathcal{H}}_{1}\otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) is the product state \(X_{1}\rangle \ldots X_{\mathsf{f}}\rangle \). The resultant state in \({\mathcal{K}}_{A}\otimes {\mathcal{H}}_{A}'\) is \(K\rangle X_{K}\rangle \). The resultant state in \({\mathcal{K}}_{A\oplus 1}\otimes {\mathcal{H}}_{A\oplus 1}'\) is \(\frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}}\mathsf{Z}_{ \mathsf{f}}^{B}\ell \rangle X_{\ell}\rangle \).
Hence, when \(A=0\), the specious server needs to generate the state \(K\rangle X_{K}\rangle \frac{1}{\sqrt{\mathsf{f}}} \sum _{\ell =1}^{ \mathsf{f}}\mathsf{Z}_{\mathsf{f}}^{B}\ell \rangle X_{\ell}\rangle \) from the state \(K\rangle \frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}} \mathsf{Z}_{\mathsf{f}}^{B}\ell \rangle \). Also, when \(A=1\), the specious server needs to generate the state \(\frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}}\mathsf{Z}_{ \mathsf{f}}^{B}\ell \rangle X_{\ell}\rangle K\rangle X_{K} \rangle \) from the state \(\frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}}\mathsf{Z}_{ \mathsf{f}}^{B}\ell \rangle K\rangle \).
Since the resultant states \(K\rangle X_{K}\rangle \frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{ \mathsf{f}} \mathsf{Z}_{\mathsf{f}}^{B}\ell \rangle X_{\ell} \rangle \) and \(\frac{1}{\sqrt{\mathsf{f}}} \sum _{\ell =1}^{\mathsf{f}}\mathsf{Z}_{ \mathsf{f}}^{B}\ell \rangle X_{\ell}\rangle K\rangle X_{K} \rangle \) are unitarily equivalent to the states \(K\rangle \frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}} \mathsf{Z}_{\mathsf{f}}^{B}\ell \rangle \) and \(\frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}}\mathsf{Z}_{ \mathsf{f}}^{B}\ell \rangle K\rangle \), it is sufficient to discuss whether the server can get certain information from the state family \({\mathcal{F}}:= \{ k\rangle \frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{ \mathsf{f}} \mathsf{Z}_{\mathsf{f}}^{b}\ell \rangle , \frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}}\mathsf{Z}_{ \mathsf{f}}^{b}\ell \rangle k\rangle \}_{k,b=1}^{\mathsf{f}}\) without disturbance.
However, due to KoashiImoto [53, 54] theory (Proposition 3 in the Appendix), any measurement obtains no information for K. When the states need to be recovered because the state family \({\mathcal{F}}\) satisfies the condition (A) in the Appendix. Therefore, when the server keeps the condition for the specious server, the server cannot obtain any information for K. □
Unfortunately, adding the measurement in Step 2) cannot guarantee that the protocol satisfies the secrecy in the finalstate criterion under the speciousserver model with the input states \({\mathcal{Q}}\). That is, we have the following lemma.
Lemma 6
Even when we add the measurement with the computational basis on \({\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) in Step 2) before the unitary U is applied, the protocol does not satisfy the secrecy in the finalstate criterion under the speciousserver model with the input states \({\mathcal{Q}}\).
Proof
Assume that the server sets a general initial pure state on \({\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\), which is potentially a superposition state. When the server applies the measurement with the computational basis on \({\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) in Step 2) after the unitary U is applied, the state on \({\mathcal{K}}_{0}\otimes {\mathcal{H}}_{0}' \otimes {\mathcal{K}}_{1}\otimes {\mathcal{H}}_{1}'\) is not changed. Further, even when the order of the above measurement and the unitary U is exchanged, the state on \({\mathcal{K}}_{0}\otimes {\mathcal{H}}_{0}' \otimes {\mathcal{K}}_{1}\otimes {\mathcal{H}}_{1}'\) is not changed. Therefore, even when the server does not make the measurement with the computational basis on \({\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) in Step 2) before the unitary U is applied, the state sent to the user is not changed.
Now, we assume that the server sets the initial state in \({\mathcal{H}}_{\ell} \) to be \(\Psi _{\ell}\rangle := \sum _{j=1}^{d_{\ell}} \frac{1}{\sqrt{d_{\ell}}}j\rangle \). When \(U_{\ell}\) is applied, the resultant state on \({\mathcal{H}}_{\ell} \) is the completely mixed state \(\rho _{mix,\ell}\). Otherwise, it is \(\Psi _{\ell}\rangle \). The resultant state on \({\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) does not depend on whether the measurement on the computational basis on \({\mathcal{K}}_{0}\otimes {\mathcal{K}}_{1}\) is done before the unitary U. Hence, we can consider the following. When \(K=\ell \), \(U_{\ell}\) is applied with probability 1. Otherwise, \(U_{\ell}\) is applied with probability \(\frac{1}{\mathsf{f}}\). Therefore, when \(K=\ell \), the resultant state on \({\mathcal{H}}_{\ell}\) is the completely mixed state \(\rho _{mix,\ell}\). Otherwise, the resultant state on \({\mathcal{H}}_{\ell}\) is \(\frac{1}{\mathsf{f}}\rho _{mix,\ell}+(1\frac{1}{\mathsf{f}}) \Psi _{ \ell}\rangle \langle \Psi _{\ell}\). Hence, the server obtains a certain information for the value K in the final state. □
4.3 CQPIR in allround criterion
In this section, we discuss the secrecy in the allround criterion of the CQPIR protocol with communication complexity \(O(\mathrm{poly} \log \mathsf{m})\) under the fixed message size \(d=2\) from [12, Sect. 5], which does not use any prior entanglement, and the CQPIR protocol with communication \(O( \log \mathsf{m})\) under the fixed message size \(d=2\) from [12, Sect. 6], which uses \(\Theta (\mathsf{m})\) ebits of prior entanglement. Although these protocols fix the message size d to be 2, they can be generalized to protocols whose message sizes are fixed to an arbitrary d by treating \(\lceil \log _{2} d \rceil \) messages as one message.
4.3.1 Secrecy of the protocol from [12, Sect. 5] under the honest server model
The protocol from [12, Sect. 5] works for the case \(d=2\). The server’s input is thus \((a_{1},\ldots ,a_{\mathsf{f}})\) for \(a_{1},\ldots ,a_{\mathsf{f}}\in \{0,1\}\). The user’s input is an index \(K\in \{1,\ldots ,\mathsf{f}\}\).
The main idea is to simulate a classical multiserver PIR protocol with \(s=O(\log \mathsf{m})\) servers that has total communication complexity \(O(\mathrm{poly} \log \mathsf{m})\). Such protocols are known to exist (see, e.g., [51]) and can be described generically as follows. The user picks a uniform random variable G from \(\{1,\ldots ,\mathsf{g}\}\), computes an stuple of queries \(\{q_{1}(G,K),\ldots ,q_{s}(G,K)\}\) from \((G,K)\) by using a function \(q_{t}\), and asks query \(q_{t}(G,K)\) to the tth server. Here, for each \(t\in \{1,\ldots , s\}\), the function \(q_{t}\) satisfies the condition that the distribution of query \(q_{t}(G,K)\) is independent of K. Each server t then sends its answer \(\mathsf{ans}_{t}(q_{t}(G,K))\) to the user, who recovers \(a_{K}\) from \(\{\mathsf{ans}_{1}(q_{1}(G,K)),\ldots ,\mathsf{ans}_{s}(q_{s}(G,K)) \}\).
The protocol from [12, Sect. 5] simulates this protocol using only one server. The protocol uses \(2s+1\) quantum registers denoted \(Q,Q_{1},\ldots , Q_{s}, \mathop{Ans}_{1},\ldots , \mathop{Ans}_{s}\). For each \(t\in \{1,\ldots , s\}\), let us define the following quantum state:
Note that we have in particular
The protocol from [12, Sect. 5] consists of the following interaction between the user and the server (some details of the manipulations of the states are omitted since they are irrelevant to the secrecy proof):

1.
The user prepares the state .

2.
The user and the server iterate the following for \(t=1\) to s:

2.1
The user sends Registers \(Q_{t}\), \(\mathop{Ans}_{t}\) to the server;

2.2
The server applies a controlled unitary, where the controlling system is \(Q_{t}\) and the controlled system is \(\mathop{Ans}_{t}\). Then, the server sends back Registers \(Q_{t}\), \(\mathop{Ans}_{t}\) to the user.

2.1

3.
The user measures the joint system composed of Registers \(Q,Q_{1},\ldots , Q_{s}, \mathop{Ans}_{1},\ldots , \mathop{Ans}_{s}\) to obtain the outcome \(a_{K}\) after certain unitary operations.
We now show the secrecy of this protocol under the honest server model.
Lemma 7
The protocol from [12, Sect. 5] is unitarytype and satisfies the secrecy in the allround criterion under the honest server model when the set \(\tilde{\mathcal{S}}\) of possible inputs is \({\mathcal{C}}\).
Proof
The protocol is clearly unitarytype. The remaining task is then to show the secrecy of this protocol in the allround criterion under the honest server model when the set \(\tilde{\mathcal{S}}\) of possible inputs is \({ \mathcal{C}}\). Observe that at each iteration there is only a message sent to the server, at Step 2.1. We thus only need to show that for each t, this message does not reveal any information about K. The state of the whole system at the end of Step 2.1 of the tth iteration is . The state of the server, obtained by tracing out all registers except \(Q_{t}\), \(\mathop{Ans}_{t}\) of is
Since the distribution of query \(q_{t}(G,K)\) is independent of K, we conclude that the whole state of the server at the end of Step 2.1 is independent of K, for each t. □
4.3.2 Secrecy of the protocol from [12, Sect. 6] under the honest server model
The protocol from [12, Sect. 6] works for the case \(d=2\) and \(\mathsf{f}=2^{\mathsf{h}}\), for \(\mathsf{h}\ge 1\). The server’s input is thus \((a_{1},\ldots ,a_{\mathsf{f}})\) for \(a_{1},\ldots ,a_{\mathsf{f}}\in \{0,1\}\). The user’s input is an index \(K\in \{1,\ldots ,\mathsf{f}\}\).
The protocol uses \(2\mathsf{h}+2\) quantum registers denoted \(R_{1},\ldots , R_{\mathsf{h}}, \mathsf{R'}_{1},\ldots , \mathsf{R'}_{ \mathsf{h}}, Q_{0},Q_{1}\). For each \(p\in \{1,\ldots , \mathsf{h}\}\), let us define the following quantum state over the two registers \(R_{t}\), \(R'_{p}\):
For any binary string \(z\in \{0,1\}^{s}\) with s even, we denote \(z[0]\) the first half of z, and \(z[1]\) the second half of z. For any binary strings \(z, z'\in \{0,1\}^{s}\), we write \(z\oplus z'\in \{0,1\}^{s}\) the string obtained by taking the bitwise parity of z and \(z'\).
The protocol from [12, Sect. 6] assumes that the server and the user initially share the state
where \(R_{1},\ldots , R_{\mathsf{h}},Q_{0}, Q_{1}\) are owned by the server and \(R'_{1},\ldots , R'_{\mathsf{h}}\) are owned by the user. The protocol consists of the following interaction between the user and the server (some details of the manipulations of the states are omitted since they are irrelevant to the secrecy proof):

1.
For p from 1 to \(\mathsf{h}\) the server and the user do the following:

1.1
The server applies a unitary \(V_{p}\) (defined in [12, Eq. (27)]) on Registers \(R_{p1}\), \(R_{p}\), \(Q_{0}\), \(Q_{1}\) and then sends Registers \(Q_{0}\), \(Q_{1}\) to the user;

1.2
If the pth bit of its input K is 0, the user applies the Pauli gate Z on Register \(Q_{0}\). If the pth bit of K is 1, the user applies Z on Register \(Q_{1}\). The user then sends back Registers \(Q_{0}\), \(Q_{1}\) to the server.

1.3
The server applies again the unitary \(V_{p}\) on Registers \(R_{p1}\), \(R_{p}\), \(Q_{0}\), \(Q_{1}\), and then applies a Hadamard transform on each qubit in Register \(R_{p}\).

1.4
The user applies a Hadamard transform on each qubit in Register \(R'_{p}\).

1.1

2.
The server sends Register \(R_{\mathsf{h}}\) to the user. The user measures the joint system composed of Registers \(R'_{1},\ldots , \mathsf{R'}_{\mathsf{h}}\) and Register \(R_{\mathsf{h}}\), and performs some classical postprocessing on the outcome to obtain \(a_{K}\)
The following lemma from [12] will be useful for our secrecy proof: Lemma 2 in [12] shows that the state of the whole system at the end of Step 1.3 is
with
where the sum is over all strings \(y^{1}\in \{0,1\}^{2^{\mathsf{h}1}},\ldots ,y^{p}\in \{0,1\}^{2^{ \mathsf{h}p}}\) and we use the convention that \(y^{0}\) is the server’s input \((a_{1},\ldots ,a_{\mathsf{f}})\).^{Footnote 1} Here the server owns Registers \(R_{1},\ldots , R_{\mathsf{h}},Q_{0}, Q_{1}\) while the user owns Registers \(R'_{1},\ldots , R'_{\mathsf{h}}\).
We now show the secrecy of this protocol under the honest server model (see also Appendix B in [13]).
Lemma 8
The protocol from [12, Sect. 6] is unitarytype and satisfies the secrecy in the allround criterion under the honest server model when the set \(\tilde{\mathcal{S}}\) of possible inputs is \({\mathcal{C}}\).
Proof
The protocol is clearly unitarytype. The remaining task is then to show the secrecy of this protocol in the allround criterion under the honest server model when the set \(\tilde{\mathcal{S}}\) of possible inputs is \({ \mathcal{C}}\). Since the initial state does not depend on K, it is sufficient to show that the whole state on Register \(R_{1},\ldots , R_{\mathsf{h}},Q_{0}, Q_{1}\) at the end of Step 1.2 of the pth round is independent of K.
Observing that tracing out Registers \(R'_{1},\ldots ,R'_{j}\) from gives the state
which is independent of K, we find that the whole state on Register \(R_{1},\ldots , R_{\mathsf{h}},Q_{0}, Q_{1}\) at the end of Step 1.3 of the pth round is independent of K, for each p. Since the unitaries applied in Step 1.3 by the server are independent of K, we conclude that the whole state on Register \(R_{1},\ldots , R_{\mathsf{h}},Q_{0}, Q_{1}\) at the end of Step 1.2 of the pth round is independent of K. □
4.3.3 Secrecy under the specious server model
Finally, we discuss the secrecy under the specious server model. We will rely on the following theorem from [13] for unitarytype QPIR protocols.
Proposition 2
(Theorem 3.2 in [13])
When a unitarytype QPIR protocol satisfies the secrecy in the allround criterion under the honest server model with the set \(\tilde{\mathcal{S}}=\mathcal{C}\), it satisfies the secrecy in the allround criterion under the specious server model with the same set \(\tilde{\mathcal{S}}=\mathcal{C}\).
We thus obtain the following corollary of Lemmas 7 and 8.
Corollary 1
The protocols from [12, Sect. 5] and [12, Sect. 6] satisfy the secrecy in the allround criterion under the specious server model when the set \(\tilde{\mathcal{S}}\) of possible inputs is \({\mathcal{C}}\).
Therefore, when the message size d is fixed to a constant, there exists a CQPIR protocol with communication complexity \(O(\mathrm{poly} \log \mathsf{m})\) (\(O( \log \mathsf{m})\)) and without any prior entanglement (with prior entanglement) that satisfies the secrecy in the allround criterion under the specious server model when the set \(\tilde{\mathcal{S}}\) of possible inputs is \({\mathcal{C}}\).
5 Optimality of trivial protocol in finalstate criterion for QQPIR under honest server model
In this section, we prove that the trivial solution of downloading all messages is optimal for QQPIR. In particular, this section, unlike the references [10, 13], we show the optimality in the finalstate criterion under the honestserver model. Since our setting is discussed under the honestserver model, the secrecy in the finalstate criterion is required only when the server follows the determined state preparation process and determined quantum operations. In the formal description of our protocols, we consider that the user and the server apply CPTP maps but we describe the CPTP maps by the equivalent representation with the unitary maps and the local quantum memories.
To be precise, we define the \(\mathsf{r}\)round QQPIR protocol as follows. A 2round protocol is depicted in Fig. 2, and the symbols are summarized as Table 3. The message states are given as arbitrary \(\mathsf{f}\) states \(\rho _{[\mathsf{f}]}:=\rho _{1}\otimes \cdots \otimes \rho _{ \mathsf{f}}\) on \(S^{(0)} = X_{1}\otimes \cdots \otimes X_{\mathsf{f}}\), where each of \(\rho _{\ell}\) is purified in \(X_{\ell}\otimes R_{\ell}\). We use the notation \(R_{[\mathsf{f}]}:=R_{1}\otimes \cdots \otimes R_{\mathsf{f}}\). The server contains the system \(S^{(0)}\). The user chooses the index of the targeted message \(K\in [\mathsf{f}]\), i.e., \(\rho _{k}\) is the targeted quantum state when \(K=k\). When \(K=k\), the user prepares the initial state as \(k\rangle \otimes 0\rangle \in A^{(0)} \otimes T^{(0)}\). Although we consider the model in which the user and the server apply CPTP maps, we describe it by the equivalent representation with the unitary maps and the local quantum memories. A QQPIR protocol Φ is described by unitary maps \(\mathcal{D}^{(0)},\ldots ,\mathcal{D}^{(\mathsf{r})}, \mathcal{E}^{(1)}, \ldots ,\mathcal{E}^{(\mathsf{r})}\) in the following steps.

1.
Query (upload): For all \(i \in [\mathsf{r}]\), the user applies a unitary map \(\mathcal{D}^{(i1)}\) from \(A^{(i1)}\otimes T^{(i1)}\) to \(Q^{(i)} \otimes T^{(i)}\), and sends \(Q^{(i)}\) to the sender. Here, \(T^{(i)}\) are the user’s local quantum systems for describing the CPTP maps applied by the user.

2.
Answer (download): For all \(i \in [\mathsf{r}]\), the server applies a unitary map \(\mathcal{E}^{(i)}\) from \(Q^{(i)} \otimes S^{(i1)}\) to \(A^{(i)}\otimes S^{(i)} \) and sends \(A^{(i)}\) to the user. Here, \(S^{(i)}\) are the server’s local quantum systems for describing the CPTP maps applied by the server.

3.
Reconstruction: The user applies \(\mathcal{D}^{(\mathsf{r})}\) from \(A^{(\mathsf{r})}\otimes T^{(\mathsf{r})}\) to \(Y \otimes E\), and outputs the state on Y as the protocol output.
The inputoutput relation \(\Lambda _{\Phi}\) of the protocol Φ is written with a CPTP \(\Gamma _{\Phi ,k}\) from \(S^{(0)}\) to Y as
where \(\mathcal{D}\ast \mathcal{E}= ( \mathcal{D}^{(\mathsf{r})} \circ \mathcal{E}^{(\mathsf{r})} )\circ \cdots \circ ( \mathcal{D}^{(1)} \circ \mathcal{E}^{(1)} ) \). The QPIR protocol Φ should satisfy the following conditions.

Correctness: When \(\psi _{k}\rangle \langle \psi _{k} \) denotes a purification of \(\rho _{k}\) with the reference system \(R_{k}\), the correctness is
$$\begin{aligned} \Gamma _{\Phi ,k}\otimes \operatorname{id}_{R_{k}}(\rho _{[\mathsf{f}]\setminus \{k \}} \otimes \psi _{k}\rangle \langle \psi _{k} ) = \psi _{k} \rangle \langle \psi _{k}  \end{aligned}$$(19)for any \(K=k\) and any state \(\rho _{[\mathsf{f}]}\).

Secrecy: When the final state on \(S^{(\mathsf{r})} \otimes R_{[\mathsf{f}]}\) with the target index \(K=k\) is denoted by \(\rho _{S^{(\mathsf{r})} R_{[\mathsf{f}]}}^{k}\), the secrecy is
$$\begin{aligned} \rho _{S^{(\mathsf{r})} R_{[\mathsf{f}]}}^{k} &= \rho _{S^{( \mathsf{r})} R_{[\mathsf{f}]}}^{k'} \end{aligned}$$(20)for any k, \(k'\).
The communication complexity of the oneserver multiround QQPIR is written as \(\mathrm{CC}(\Phi )= \sum _{i=1}^{\mathsf{r}} \log Q^{(i)} + \log A^{(i)}\).
Theorem 1
For any multiround QQPIR protocol Φ, the communication complexity \(\mathrm{CC}(\Phi )\) is lower bounded by \(\sum _{\ell =1}^{\mathsf{f}} \log X_{\ell}\), where \(X_{\ell}\) is the system of the ℓth message \(\rho _{\ell}\).
For the proof of Theorem 1, we prepare the following lemmas.
Lemma 9
\(H(A^{(i)}) + H(Q^{(i+1)}) \geq H(T^{(i+1)} )  H(T^{(i)})\).
Proof
Lemma 9 is shown by the relation
Here, \((b)\), \((c)\), and \((d)\) express the respective properties presented in Proposition 1. □
Lemma 10
The relation \(H( R_{[\mathsf{f}]} S^{(\mathsf{r})}) \ge \sum _{\ell =1}^{ \mathsf{f}}H( R_{\ell})\) holds.
Proof
Given the user’s input k, Correctness (19) guarantees that the final state on \(R_{k}\otimes Y\) is a pure state, and therefore, \(R_{k}\) is independent of any system except for Y. Thus, \(R_{k}\) is independent of \(R_{[\mathsf{f}]\setminus \{k\} } S^{(\mathsf{r})}\). The secrecy condition (20) guarantees that the final state on \(R_{[\mathsf{f}]} \otimes S^{(\mathsf{r})}\) does not depend on k. Hence, \(R_{1}, \ldots , R_{\mathsf{f}}\), and \(S^{(\mathsf{r})}\) are independent of each other. Therefore, we have
□
Proof of Theorem 1
We choose the initial state on \(R_{\ell}\otimes X_{\ell}\) to be the maximally entangled state for \(\ell =1, \ldots , \mathsf{f}\). From Lemmas 9 and 10, we derive the following inequalities:
where (a) and (b) express the respective properties presented in Proposition 1. In addition, (22) is obtained by applying Lemma 9 for all \(i=1,\ldots , \mathsf{r}1\). The step (23) follows from \(H(Q^{(1)}) = H(T^{(1)})\) which holds due to the property (a) in Proposition 1, because the state on \(Q^{(1)} T^{(1)}\) is the pure state as the state on \(Q^{(0)} T^{(0)}\) is the pure state. The step (24) follows from Lemma 10. □
6 QQPIR protocol with prior entanglement under honestserver model
In the previous section, we proved that the trivial solution is optimal even in the finalstate criterion under the honest oneserver model of QQPIR. In this section, we construct a QQPIR protocol with lower communication complexity under various secrecy models than the trivial solution when we allow shared entanglement between the user and the server.
Let \(\mathsf{m}= \sum _{\ell =1}^{\mathsf{f}} \log X_{\ell}\) be the size of all messages. To measure the amount of the prior entanglement, we count sharing one copy of {\mathsf{I}}_{2}\u300b=(1/\sqrt{2})(00\u3009+11\u3009) as an ebit. Accordingly, we count sharing the state {\mathsf{I}}_{d}\u300b\in {\mathbb{C}}^{d}\otimes {\mathbb{C}}^{d} as logd ebits.
Theorem 2
Suppose there exists a CQPIR protocol under a certain secrecy model with communication complexity \(f(d_{1}, \ldots , d_{\mathsf{f}})\) when \(g(d_{1}, \ldots , d_{\mathsf{f}})\)ebit prior entanglement is shared between the user and the server. Then, there exists a QQPIR protocol under the same secrecy model with communication complexity \(f(d_{1}^{2}, \ldots , d_{\mathsf{f}}^{2})\) when \(\mathsf{m}+g(d_{1}, \ldots , d_{\mathsf{f}})\)ebit prior entanglement is shared between the user and the server.
The protocol satisfying Theorem 2 is a simple combination of quantum teleportation [1] and any CQPIR protocol. For the description of the protocol, we use the generalized Pauli operators and maximally entangled state for ddimensional systems defined in (11). Hence, the type of guaranteed secrecy in the original CQPIR protocol is inherited to the converted QPIR protocol. We construct the QQPIR protocol satisfying Theorem 2 as follows.
Protocol 3
Let \(\Phi _{\mathrm{cl}}\) be a CQPIR protocol and \(d_{1},\ldots , d_{\mathsf{f}}\) be the size of the \(\mathsf{f}\) classical messages. From this protocol, we construct a QQPIR protocol as follows.
Let \(X_{1},\ldots , X_{\mathsf{f}}\) be the quantum systems with dimensions \(d_{1},\ldots , d_{\mathsf{f}}\), respectively, and \(\rho _{1},\ldots , \rho _{\mathsf{f}}\) be the quantum message states on systems \(X_{1},\ldots , X_{\mathsf{f}}\). The user and the server share the maximally entangled states {\mathsf{I}}_{{d}_{\ell}}\u300b, defined in (11), on \({Y_{\ell}\otimes Y_{\ell}'}\) for all \(\ell \in [\mathsf{f}]\), where \(Y_{[\mathsf{f}]}\) and \(Y_{[\mathsf{f}]}'\) are possessed by the user and the server, respectively.
The user and the server perform the following steps.

1)
Preparation: For all \(\ell \in [\mathsf{f}]\), the server performs the generalized Bell measurement \(\mathbf{M}_{\mathsf{X}\mathsf{Z},d_{\ell}}\), defined in (12), on \(X_{\ell}\otimes Y_{\ell}'\), where the measurement outcome is written as \(m_{\ell }= (a_{\ell}, b_{\ell})\in [0: d_{\ell}1]^{2}\).

2)
Use of CQPIR protocol: The user and the server perform the CQPIR protocol \(\Phi _{\mathrm{cl}}\) to retrieve \(m_{k} = (a_{k},b_{k})\).

3)
Reconstruction: The user recovers the kth message \(\rho _{k}\) by applying \(\mathsf{X}_{d_{k}}^{a_{k}}\mathsf{Z}_{d_{k}}^{b_{k}} \) on \(Y_{k}\).
The correctness of the protocol is guaranteed by the correctness of the teleportation protocol and the CQPIR protocol \(\Phi _{\mathrm{cl}}\). When the ℓth message state is prepared as \(\rho _{\ell}\) and its purification \(\phi _{\ell}\rangle \) is denoted with the reference system \(R_{\ell}\), after Step 1, the states on \(R_{\ell}\otimes Y_{\ell}\) is
for all \(\ell \in [\mathsf{f}]\). Thus after Step 3, the targeted state \({\phi _{k}}\rangle \) is recovered in \(R_{k}\otimes Y_{k}\).
To analyze the secrecy of Protocol 3, note that only Step 2 has the communication between the user and the server. Thus the secrecy of Protocol 3 is guaranteed by the secrecy of the underlying protocol \(\Phi _{\mathrm{cl}}\).
Protocol 1 (Protocol 2) is a oneround CQPIR protocol in the finalstate criterion under the honestserver model (the speciousserver model) with input states \({\mathcal{C}}\) with communication complexity \(2 \log \mathsf{f}+\log d\) (\(4 \log \mathsf{f}+2 \log d\)). Therefore, the combination of Protocols 1 and 3 and the combination of Protocols 2 and 3 yield the following corollary.
Corollary 2
There exists a QQPIR protocol with communication complexity \(2 \log \mathsf{f}+\log d^{2}=2\log \mathsf{f}d \) (\(4 \log \mathsf{f}+2 \log d^{2}=4\log \mathsf{f}d \)) and prior entanglement \(\mathsf{m}\) that satisfies the secrecy in the finalstate criterion under the honestserver model (the speciousserver model). When d is a constant, the communication complexity is \(2 \log \mathsf{m}+o(\mathsf{m})\) (\(4 \log \mathsf{m}+o( \mathsf{m})\)).
Proof
The case under the honestserver model is trivial. Hence, we show the desired statement under the speciousserver model.
Assume that the server makes a specious attack. The user’s state at the end of Step 2) of Protocol 3 is the pair of entanglement halves \(\sigma _{1}\) and the state transmitted at Step 2) of Protocol 2\(\sigma _{2}\). Due to the specious condition, the state \(\sigma _{1}\) needs to be one of the states \(\{\mathsf{X}^{a}\mathsf{Z}^{b} \rho _{K}(\mathsf{X}^{a}\mathsf{Z}^{b})^{ \dagger}\}_{(a,b) \in [0:d1]^{2}}\) with equal probability. That is, using the random variable \((a,b) \in [0:d1]^{2}\) under the uniform distribution, the state \(\sigma _{1}\) is written as \(\mathsf{X}^{a}\mathsf{Z}^{b} \rho _{K}(\mathsf{X}^{a}\mathsf{Z}^{b})^{ \dagger}\). Hence, the state \(\sigma _{2}\) needs to be decided according to the random variable \((a,b)\) in the same way as the honest case. That is, the state \(\sigma _{2}\) satisfies the condition for the state transmitted by a specious server of Protocol 2 at Step 2). Since Protocol 2 satisfies the secrecy under the finalstate criterion under the speciousserver model with input states \({\mathcal{C}}\), the specious server obtains no information in the final state. That is, the combined QQPIR protocol with prior entanglement satisfies the secrecy under the finalstate criterion under the speciousserver model. □
Combining Theorem 2 and Corollary 1, we obtain the following corollary.
Corollary 3
There exists a QQPIR protocol with communication complexity \(O( \log \mathsf{m})\) and prior entanglement of \(\Theta (\mathsf{m})\) ebits that satisfies the secrecy in the allround criterion under the honestserver model when the message size d is fixed to a constant.
One property of Protocol 3 is that all other states in the server are destroyed at Step 1. This is a disadvantage for the server but an advantage for the user since the user can retrieve other states \(\rho _{\ell}\) if the user could retrieve classical information \(m_{\ell }\in [0:d_{\ell}1]^{2}\) corresponding to the state \(\rho _{\ell}\).
7 Conclusion
We have shown an exponential gap for the communication complexity of oneserver QQPIR in the finalstate criterion or under the honestserver model between the existence and the nonexistence of prior entanglement. For this aim, as the first step, we have proposed an efficient oneserver oneround CQPIR protocol in the finalstate criterion. Also, we have shown that the protocols proposed in [12] satisfies the secrecy in the allround criterion under the honest server model. Then, as the second step, we have proved that the trivial solution of downloading all messages is optimal even in the finalstate criterion for honest oneserver QQPIR, which is a similar result to that of classical PIR but different from CQPIR. As the third step, we have developed a conversion from any CQPIR protocol to a QQPIR protocol, which yields an efficient QQPIR protocol with prior entanglement from a CQPIR protocol. The proposed protocols exhibit an exponential improvement over the QQPIR’s trivial solution.
In fact, Protocols 1 and 2 work as oneserver oneround CQPIR protocol in the finalstate criterion under the honestserver model or the speciousserver model. However, Theorem 1 shows that no analogy of Protocol 1 nor 2 works for QQPIR protocol under similar settings without prior entanglement. This impossibility is caused by the noncloning property of the quantum system, i.e., the property that the noiseless channel has no information leakage to the third party, because the proof of Theorem 1 relies on the fact that noiseless quantum communication ensures that the entropy of the final state on the third party is equal to the entropy of the final state on the composite system comprising the output system and the reference system. This impossibility is one of the reasons for our obtained exponential gap.
The above exponential gap has been established under three problem settings. The first and the second are the finalstate criterion under the honestserver model and under the speciousserver model. The third is the allround criterion under the honestserver model. In other words, other problem settings do not have such an exponential improvement by using prior entanglement. This exponential improvement is much larger than the improvement achieved through the use of dense coding [2]. This exponential improvement can be considered as a useful application of prior entanglement. It is an interesting open problem to find similar exponential improvement by using prior entanglement.
Data Availability
No datasets were generated or analysed during the current study.
Notes
Observe that \(y^{j1}\) is a binary string of length \(2^{\mathsf{h}(j1)}\), and then \(y^{j1}[i_{j}]\) is a binary string of length \(2^{\mathsf{h}(j1)1}=2^{\mathsf{h}j}\). The term \(y^{j1}[i_{j}]\oplus y^{j}\) in the definition of is thus well defined.
Abbreviations
 PIR:

private information retrieval
 QPIR:

quantum private information retrieval
 CQPIR:

quantum private information retrieval for the classical messages
 QQPIR:

quantum private information retrieval for the quantum messages
References
Bennett CH, Brassard G, Crépeau C, Jozsa R, Peres A, Wootters WK. Teleporting an unknown quantum state via dual classical and EinsteinPodolskyRosen channels. Phys Rev Lett. 1993;70(13):1895–9.
Bennett CH, Wiesner SJ. Communication via one and twoparticle operators on EinsteinPodolskyRosen states. Phys Rev Lett. 1992;69:2881.
Wang C, Deng FG, Li YS, Liu XS, Long GL. Quantum secure direct communication with highdimension quantum superdense coding. Phys Rev A. 2005;71:044305.
Wu J, Long GL, Hayashi M. Quantum secure direct communication with private dense coding using a general preshared quantum state. Phys Rev Appl. 2022;17:064011.
Gavoille C, Kosowski A, Markiewicz M. What can be observed locally? Roundbased models for quantum distributed computing. In: Proc. DISC’09: proceedings of the 23rd international conference on distributed computing. 2009. p. 243–57.
Elkin M, Klauck H, Nanongkai D, Pandurangan G. Can quantum communication speed up distributed computation? In: PODC’14: proceedings of the 2014 ACM symposium on principles of distributed computing. 2014. p. 166–75.
Kerenidis I, de Wolf R. Exponential lower bound for 2query locally decodable codes via a quantum argument. In: Proc. 35th ACM symposium on theory of computing (STOC’ 03). 2003. p. 106–15.
Kerenidis I, de Wolf R. Quantum symmetricallyprivate information retrieval. Inf Process Lett. 2004;90:109–14.
Olejnik L. Secure quantum private information retrieval using phaseencoded queries. Phys Rev A. 2011;84:022313.
Baumeler Ä, Broadbent A. Quantum private information retrieval has linear communication complexity. J Cryptol. 2015;28:161–75.
Le Gall F. Quantum private information retrieval with sublinear communication complexity. Theory Comput. 2012;8(16):369–74.
Kerenidis I, Laurière M, Le Gall F, Rennela M. Information cost of quantum communication protocols. Quantum Inf Comput. 2016;16(3–4):181–96.
Aharonov D, Brakerski Z, Chung KM, Green A, Lai CY, Sattath O. On quantum advantage in information theoretic singleserver PIR. In: Ishai Y, Rijmen V, editors. EUROCRYPT 2019. vol. 11478. Cham: Springer; 2019.
Song S, Hayashi M. Capacity of quantum private information retrieval with multiple servers. IEEE Trans Inf Theory. 2021;67(1):452–63.
Song S, Hayashi M. Capacity of quantum private information retrieval with collusion of all but one of servers. IEEE J Sel Areas Inf Theory. 2021;2(1):380–90.
Song S, Hayashi M. Capacity of quantum private information retrieval with colluding servers. IEEE Trans Inf Theory. 2021;67(8):5491–508.
Allaix M, Holzbaur L, Pllaha T, Hollanti C. Quantum private information retrieval from coded and colluding servers. IEEE J Sel Areas Inf Theory. 2020;1(2):599–610.
Allaix M, Song S, Holzbaur L, Pllaha T, Hayashi M, Hollanti C. On the capacity of quantum private information retrieval from MDScoded and colluding servers. IEEE J Sel Areas Commun. 2022;40(3):885–98.
Kon WY, Lim CCW. Provably secure symmetric private information retrieval with quantum cryptography. Entropy. 2021;23(1):54.
Wang C, Kon WY, Ng HJ, Lim CC. Experimental symmetric private information retrieval with measurementdeviceindependent quantum network. Light: Sci Appl. 2022;11:268.
Wang C, Kon WY, Ng HJ, Lim CC. Experimental symmetric private information retrieval with quantum key distribution. In: Sciarrino F, Treps N, Giustina M, Silberhorn C, editors. Quantum information and measurement VI 2021. Technical digest series. Optica Publishing Group; 2021.
Wiesner S. Conjugate coding. SIGACT News. 1983;15(1):78–88.
Gottesman D, Chuang I. Quantum Digital Signatures. 2001. arXiv:quantph/0105032.
Mochon C. Quantum weak coin flipping with arbitrarily small bias. 2007. arXiv:0711.4114.
Chailloux A, Kerenidis I. Optimal quantum strong coin flipping. In: Proc. 50th annual IEEE symposium on foundations of computer science, FOCS 2009. Atlanta, Georgia, USA. October 2527, 2009. 2009. p. 527–33.
Aharonov D, Chailloux A, Ganz M, Kerenidis I, Magnin L. A simpler proof of the existence of quantum weak coin flipping with arbitrarily small bias. SIAM J Comput. 2016;45(3):633–79.
Crépeau C, Gottesman D, Smith A. Secure multiparty quantum computing. In: STOC’02: proceedings of the thiryfourth annual ACM symposium on theory of computing. 2002. p. 643–52.
Goyal V, Liang X, Malavolta G. On concurrent multiparty quantum computation. In: Handschuh H, Lysyanskaya A, editors. Advances in cryptology – CRYPTO 2023. CRYPTO 2023. Lecture notes in computer science. vol. 14085. Cham: Springer; 2023.
Cachin C, Micali S, Stadler M. Computationally private information retrieval with polylogarithmic communication. In: Advances in cryptology  EUROCRYPT’99. 1999. p. 402–14.
Lipmaa H. First CPIR protocol with datadependent computation. In: Proceedings of the 12th international conference on information security and cryptology. 2009. p. 193–210.
Beimel A, Stahl Y. Robust informationtheoretic private information retrieval. In: Proceedings of the 3rd international conference on security in communication networks (SCN’02). 2003. p. 326–41.
Yekhanin S. Towards 3query locally decodable codes of subexponential length. J ACM. 2008;55(1):1–6.
Devet C, Goldberg I, Heninger N. Optimally robust private information retrieval. In: 21st USENIX security symposium. 2012.
Chan TH, Ho SW, Yamamoto H. Private information retrieval for coded storage. In: Proc. IEEE international symposium on information theory (ISIT2015). Hong Kong, China. June, 14–19, 2015. 2015. p. 2842–6.
Sun H, Jafar S. The capacity of private information retrieval. IEEE Trans Inf Theory. 2017;63(7):4075–88.
Sun H, Jafar S. The capacity of symmetric private information retrieval. In: 2016 IEEE globecom workshops (GC Wkshps). Washington. 2016. p. 1–5.
Sun H, Jafar S. The capacity of robust private information retrieval with colluding databases. IEEE Trans Inf Theory. 2018;64(4):2361–70.
Banawan K, Ulukus S. The capacity of private information retrieval from coded databases. IEEE Trans Inf Theory. 2018;64(3):1945–56.
FreijHollanti R, Gnilke OW, Hollanti C, Karpuk DA. Private information retrieval from coded databases with colluding servers. SIAM J Appl Algebra Geom. 2017;1(1):647–64.
Kumar S, Lin HY, Rosnes E, Graell i Amat A. Achieving maximum distance separable private information retrieval capacity with linear codes. IEEE Trans Inf Theory. 2019;65(7):4243–73.
Lin HY, Kumar S, Rosnes E, Graell i Amat A. An MDSPIR capacityachieving protocol for distributed storage using nonMDS linear codes. In: Proc. IEEE international symposium on information theory (ISIT2018), Talisa Hotel in Vail. Colorado, USA. June, 17–22, 2018. 2018. p. 966–70.
Tian C, Sun H, Chen J. A Shannontheoretic approach to the storageretrieval tradeoff in PIR systems. In: Proc. IEEE international symposium on information theory (ISIT2018), Talisa Hotel in Vail. Colorado, USA. June, 17–22, 2018. 2018. p. 1904–8.
Wang Q, Skoglund M. Symmetric private information retrieval for MDS coded distributed storage. In: Proceedings of 2017 IEEE international conference on communications (ICC). 2017. p. 1–6.
Tandon R. The capacity of cache aided private information retrieval. In: Proc. 2017 55th annual Allerton conference on communication, control, and computing (Allerton). 2017. p. 1078–82.
Banawan K, Ulukus S. The capacity of private information retrieval from byzantine and colluding databases. IEEE Trans Inf Theory. 2019;65(2):1206–19.
Holzbaur L, FreijHollanti R, Li J, Hollanti C. Towards the capacity of private information retrieval from coded and colluding servers. IEEE Trans Inf Theory. 2022;68(1):517–37.
Kadhe S, Garcia B, Heidarzadeh A, El Rouayheb S, Sprintson A. Private information retrieval with side information. IEEE Trans Inf Theory. 2019;66(4):2032–43.
Tajeddine R, Gnilke OW, Karpuk D, FreijHollanti R, Hollanti C. Private information retrieval from coded storage systems with colluding, byzantine, and unresponsive servers. IEEE Trans Inf Theory. 2019;65(6):3898–906.
Giovannetti V, Lloyd S, Maccone L. Quantum private queries. Phys Rev Lett. 2008;100:230502.
Dupuis F, Nielsen JB, Salvail L. Secure twoparty quantum evaluation of unitaries against specious adversaries. In: Proc. 30th annual conference on advances in cryptology (CRYPTO’10). Berlin: Springer; 2010. p. 685–706.
Chor B, Goldreich O, Kushilevitz E, Sudan M. Private information retrieval. J ACM. 1998;45(6):965–81.
Hayashi M. Quantum information theory: mathematical foundation, graduate texts in physics. Berlin: Springer; 2017.
Koashi M, Imoto N. Phys Rev A. 2002;66:022318.
Hayden P, Jozsa R, Petz D, Winter A. Commun Math Phys. 2004;246:359.
Funding
SS was supported by Research Fellow of the Japan Society for the Promotion of Science No. JP20J11484. FLG was partially supported by Japan Society of the Promotion of Science (JSPS) GrantinAid for Scientific Research (S) under Grant 24H00071, for Scientific Research (A) under Grants 20H00579 and 21H04879, and for Scientific Research (B) under Grant 20H04139. MH was supported in part by the National Natural Science Foundation of China No. 62171212.
Author information
Authors and Affiliations
Contributions
S. S. initiated this project, and prepared figures 1 and 2. M. H. prepared Tables I, II, and III. F. L. contributed Section IVC. M. H. and S. S. wrote the main manuscript text except for Section IVC. All authors reviewed the manuscript.
Corresponding author
Ethics declarations
Ethics approval and consent to participate
Not applicable.
Consent for publication
Not applicable.
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix: KoashiImoto theory
Appendix: KoashiImoto theory
Here, we discuss KoashiImoto theory [53] under the following assumption. We assume a state family \({\mathcal{S}}=\{ \rho _{x}\}_{x \in {\mathcal{X}}}\) on \({\mathcal{H}}\) satisfies the following condition.
 (A):

When a subspace \({\mathcal{K}} \subset {\mathcal{H}}\) satisfies the condition \(P_{\mathcal{K}} \rho _{x} = \rho _{x} P_{\mathcal{K}}\) for any element \(x \in {\mathcal{X}}\), the \({\mathcal{K}}\) is \(\{0\}\) or \({\mathcal{H}}\), where \(P_{\mathcal{K}}\) is the projection to \({\mathcal{K}}\),
Under the above assumption, we have the following proposition.
Proposition 3
Assume the assumption (A). We consider a POVM \(\{M_{y}\}_{y\in {\mathcal{Y}}}\) on \({\mathcal{H}}\). When there exists a TPCP map \(\Gamma _{y}\) for any element \(y\in {\mathcal{Y}}\) such that the relation \(\sum _{y}\Gamma _{y} (\sqrt{M}_{y} \rho _{x} \sqrt{M}_{y})=\rho _{x}\) holds for any element \(x \in {\mathcal{X}}\), then \(M_{y}\) is a constant times of the identity operator.
To prove Proposition 3, we rewrite Theorem 9 of [54] under the assumption (A).
Proposition 4
Assume the assumption (A). When a TPCP map Γ satisfies the relation \(\Gamma (\rho _{x} )=\rho _{x}\) holds for any element \(x \in {\mathcal{X}}\), then Γ is the identity operator.
Proof
We choose the TPCP map \(\Gamma (\rho ):=\sum _{y}\Gamma _{y} (\sqrt{M}_{y} \rho \sqrt{M}_{y})\). The TPCP map Γ satisfies the condition for Proposition 4. We choose Steinspring representation of \(\Gamma _{y}\) as an ancilla system \({\mathcal{R}}\), an initial pure state \(\rho _{0}\) on \({\mathcal{R}}\), and a unitary \(U_{y}\) on \({\mathcal{H}}\otimes {\mathcal{R}}\) such that \(\Gamma _{y}(\rho )= \operatorname{Tr}_{R} U_{y} (\rho \otimes \rho _{0})U_{y}^{ \dagger}\), where we can choose \({\mathcal{R}}\) and \(\rho _{0}\) commonly for \(\Gamma _{y}\). Here, we assume that \({\mathcal{R}}\) is spanned by \(\{1\rangle _{R}, \ldots , d_{R}\rangle _{R}\}\) and \(\rho _{0}\) is .
Therefore, we have \(\sum _{y} \operatorname{Tr}_{R} U_{y} (\sqrt{M}_{y} \rho \sqrt{M}_{y}\otimes \rho _{0})U_{y}^{\dagger}= \rho \). Since the above relation holds for any pure state ρ, \(\operatorname{Tr}_{R} U_{y} (\sqrt{M}_{y} \rho \sqrt{M}_{y}\otimes \rho _{0})U_{y}^{ \dagger}\) is a constant times of ρ for any x. Further, since \(\operatorname{Tr}_{R} U_{y} (\sqrt{M}_{y} \rho \sqrt{M}_{y}\otimes \rho _{0})U_{y}^{ \dagger}\) is a pure state for any pure state ρ, \(~_{R}\langle j U_{y} 1\rangle _{R}\) is a constant times of \(~_{R}\langle 1 U_{y} 1\rangle _{R}\) for \(j=2, \ldots , d_{R}\). Since \(U_{y}\) is a unitary, \(~_{R}\langle j U_{y} 1\rangle _{R}\) is also a unitary. Thus, \(~_{R}\langle j U_{y} 1\rangle _{R} \sqrt{M}_{y} \rho \sqrt{M}_{y} (~_{R} \langle j U_{y} 1\rangle _{R})^{\dagger}\) is a constant times of ρ. Thus, \(\sqrt{M}_{y}\) is a constant times of a unitary. That is, \(\sqrt{M}_{y}\) is a constant times of the identity operator. □
Rights and permissions
Open Access This article is licensed under a Creative Commons AttributionNonCommercialNoDerivatives 4.0 International License, which permits any noncommercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/byncnd/4.0/.
About this article
Cite this article
Song, S., Le Gall, F. & Hayashi, M. Prior entanglement exponentially improves oneserver quantum private information retrieval for quantum messages. EPJ Quantum Technol. 11, 55 (2024). https://doi.org/10.1140/epjqt/s40507024002666
Received:
Accepted:
Published:
DOI: https://doi.org/10.1140/epjqt/s40507024002666